Twitch, which is owned by Amazon.com Inc (AMZN.O), announced on Friday that last week's data breach at the live streaming e-sports platform includes documents from its source code.
The streaming platform said in a statement that the users' passwords, login credentials, complete credit card numbers, or bank data were not accessed or disclosed in the breach.
The platform, which is used by video gamers to communicate with users while live streaming content, attributed the breach to an issue in server configuration modification.
During server maintenance, modifications to the server's configuration are made. A flawed configuration can allow unauthorized access to the data stored on the servers.
Twitch said it was "confident" the incident affected only a small number of users and that it was contacting those who had been directly impacted. The platform has more than 30 million average daily visitors.
Video Games Chronicle had reported that about 125 gigabytes of data was leaked in the breach. Data includes details on Twitch's highest-paid video game streamers since 2019 such as a $9.6 million payout to the voice actors of the popular game "Dungeons & Dragons" and $8.4 million to Canadian streamer xQcOW.
About the breach
On October 6, Twitch confirmed that it has suffered a major data breach and that a hacker accessed the company’s servers due to a misconfiguration change.
A Twitch spokesperson stated on Twitter, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available.”
The leaked Twitch data reportedly includes:
- The entirety of Twitch’s source code with commit history “going back to its early beginnings”
- Creator payout reports from 2019
- Mobile, desktop, and console Twitch clients
- Proprietary SDKs and internal AWS services used by Twitch
- “Every other property that Twitch owns” including IGDB and CurseForge
- An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
- Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)
It is advised that Twitch users use two-factor authentication, which implies that even if the password is hacked, the user will still need to use the phone to confirm the identity via SMS or an authenticator app.